Testing password policies of the largest web services

Passwords, passwords never change ...
Almost every Internet user has at least one account or at least once left his data in different services. Mail services, social networks, cloud storage, online games and much more - Facebook has more than 1 billion credentials in it. Naturally, having a large audience, companies are trying to provide good security for their servers and services. However, if users do not make efforts to protect their accounts and do not comply with the minimum information security measures at all, all efforts from outside can be in vain.

Why hack accounts? Many may say that they have nothing “secret” and in general they “only listen to music”. However, having gained access to a user account, an attacker can sometimes take possession of the following information:

• Personal Information;
• Payment data: transaction history, payment information, etc .;
• Correspondence, including files with copies of passports, private photos and other critical documents.

Having seized control of the account, the attacker can then use it to send spam, viruses, attacks on other users: in particular, ask all friends on the social network to transfer money to a phone number under some pretext.
Some may say: "I have nothing to hide." But think about it, is it? For example, celebrities whose photos were uploaded to the network probably also had nothing to hide, but they were unlikely to want this.
Do not forget that the compromise of even one “uninteresting” account can lead to hacking more critical data of the same user (many use the same password for different services). In addition, through the mailbox can access to various resources that are tied to it using the password recovery functionality. The chain of accounts can collapse like a house of cards, if, say, the password to the account on the social network is restored, and through it the authorization on the sites that use the user’s Facebook, VKontakte, LinkedIn user page, etc. is successfully accomplished.
')

Password policies on services

In order for users to not be content with the simplest passwords, there are password policies. They define the requirements for length, character types, password complexity, etc. In the course of this study, we decided to find out what policies are used on various web services and how companies are protected from weak passwords.

Consider two possible vectors of attacks on user accounts.

The attacker has collected a database of users of a service and is trying to find passwords to them online. In principle, it can use a large dictionary of tens of gigabytes and for each account try to find the desired combination of characters. But if one attempt is spent on one second, the result can not wait. And after three attempts of authorization, the service will ask to enter captcha, and the automated search will be impossible.

The attacker had a service database with password hashes. He tries to pick up passwords using a dictionary or a full search, but discovers that hashes are, for example, bcrypt (scrypt), “salty” sha512, or similar combinations, which reduces the speed of work by several orders of magnitude. Wait for the results will have as long as in the first case.

It was decided to test only the most popular passwords, the owners of which will be the first victims in both the above cases. To prevent their use, when registering, many sites give recommendations on choosing the optimal combination of characters. Let's check how these tips are able to protect users.

We will try to answer the following questions for each service:

• Does the service make any recommendations to the password explicitly (set of rules on the registration page, etc.)?
• What rules should the user follow when choosing a combination of characters? For example, nowhere does not contain any recommendations explicitly, but if the password does not fit in with any parameters, the service informs about it.
• What weak passwords did you register with?
• Are there any mechanisms to protect against unauthorized authorization, for example, two-factor authentication?
• What restrictions did services use during registration or password recovery?

Methodology

Password service requirements

For the analysis, a set of rules was determined, in fact - a compilation of recommendations from the set of services that are popular and not so much. Next, an assessment of the proposed resource requirements was made using penalty points. For each defect that could eventually lead to a "weakening" of the password, a score was counted. And, on the contrary, services with optimal recommendations went to minus . The lower the score , the better the password policy of the service.



Of course, the worst thing is, if there are no rules for creating passwords at all, and a large number of penalty points here does not require explanation. However, the approach in which the service requires creating a combination no longer than 12 characters or prohibiting the use of the @ symbol also “weakens” the passwords, therefore, here the penalty points are justified.
A small list of passwords was also formed, which to some extent satisfy these rules, but they are dictionary and often used. If the service allowed you to register with one of the proposed combinations, he received points.

Test vocabulary passwords

To test the ability to set simple passwords, passwords were selected from several well-known dictionaries:
• Top 100 worst passwords ( https://stricture-group.com/files/adobe-top100.txt )
• Top 10000 ( https://uwnthesis.wordpress.com/2012/08/30/top-10000-passwords- used -by-98-8-of-all-users/)
• Dictionary RockYou - one of the most popular dictionaries for brute force attack

Progress

Since today, “achivki” can be found wherever possible, a number of such “achievements” were invented as anti-awards: informational and practical.

Practical



Informational



After filling in the service for all the tables, he received a certain number of points. Gradation is presented below:



This technique is not standardized and can not claim to be complete, but its goal is, first of all, to give an idea of ​​the state of the password policies of web services.

Two-factor authentication

Since password policies were primarily investigated, the presence or absence of 2FA (Two Factor Authentication) did not affect the total score.

During testing, 80 services were analyzed. Of these, almost half (43) have the ability to enable two-factor authentication. In none, it was not used by default, and for some it was necessary to specifically search for instructions on the Internet. So, there is a wonderful resource https://twofactorauth.org , which presents a huge number of popular services and the possibility of including 2FA on them. The presence of this option, the possibility of its activation and proper use are a powerful mechanism for providing additional security.

Testing Web Services Password Policies

As a result, the testing analyzed 80 of the largest resources for various purposes:

• postal services
• social networks
• e-commerce
• payment services
• game services
• cryptocurrency
• file storage and collaborative development

The full study is available at the following link: http://dsec.ru/ipm-research-center/research/testing_the_password_policy_web_services/

Below is a table that clearly demonstrates which services are most concerned about protecting the accounts of their users, literally forcing them to create and use complex passwords. Here there are also champions in the number of penalty points, which, in pursuit of popularity, forget about security.



Below I will talk about some "results" for some of them.

Mail Services

Mail services are the most popular resources studied. In addition to the usual correspondence, they are widely used for registration in other services and applications. Having entered a mail account, you can use the password recovery function to access other services where the user is registered.



In half of the largest mail services, affairs with protection against simple passwords are not bad. With the exception of one service, the rest did not accept the simplest combinations during testing. However, if you add at least one number / character to a simple password or change the initial character to the capital one, it immediately becomes acceptable.

Social networks

These are the most popular services in the world today: Facebook alone has over a billion users. It is not surprising that with the help of social networks they even arrange political upheavals.
Usually, a person’s account in such a network is not just an electronic data set like John117, but a description of a specific person. People do not always understand that their profiles can be hacked, and provide detailed information about themselves. Sometimes, penetrating into an account on a social network, an attacker can seize the person’s critical data and access to his entire social circle.



Most of the investigated services imposes only the minimum requirements for the length of the user password.
Very "pleased" service MeetMe , who offered not to bother yourself and stop at the password with a length of 3 to 12 characters.



In most cases, all or the overwhelming number of passwords tested came up. It turns out that social networks do not care what password you think of. With the password policies of social networks, things do not matter. This is evidenced by both general assessments and a huge number of "achievements". It is clear that this is done for convenience: the user must quickly register on the social network, he should not interfere with anything, and security issues remain “behind the scenes”. Chose a weak password - your problems.

E-commerce

Since online stores and e-commerce businesses allow you to purchase goods and services, users find it convenient to leave them their personal data, report on their place of residence and generally give all their contact information. It would be nice if these services prohibit setting passwords like 123456. Let's see what really happens.



It turned out that e-commerce services, like social networks, do not like to present any specific rules and requirements for password complexity. Exceptions - except Amazon, eBay and Best Buy.
Such “carelessness” in relation to passwords can be explained by the desire to attract and retain customers. If a user spends two minutes on a purchase or registration on one service, and thirty seconds on another, provided that the assortment and prices are approximately equal, he will certainly go shopping for a second service.



Statistics show (although the sample is not large) that only 10% of online stores have any kind of password policy. With the exception of one, all contestants can make "decent" competition to social networks. And this is despite the fact that everyone quite imagines what prospects the attacker opens for hacking into the user account of the e-commerce service. With it, you can get information about orders, payment history, personal information. In the end, you can "master" other people's bonuses or order a user a large amount of goods to your home. An interesting fact: when trying to recover a password, Ozon.ru does not provide a link for creating a new one, but an actual password in the clear.

findings

Not always, even the largest services pay enough attention to protecting against the creation of simple passwords, and therefore the security of user accounts. Only a few of the most popular Internet resources place strong demands on authentication. During the study, the winners were well-known resources: Gmail, Apple Store, MEGA, WebMoney, eBay. However, the majority - lost . The daily reports of information leaks even contain specialized resources, which publish user accounts of various services, specialized scripts for brute-force accounts, and much more.
Such an attitude to secure authentication can be explained by the chase of services for the audience. Here it is necessary to choose the “golden mean”: too complex rules will force you to spend significantly more time on registration, which can frighten the user away. On the other hand, the complete absence of policies will necessarily entail the occurrence of incidents.

However, no matter how hard the service developers try, if the user doesn’t care about his defense, no one will help him.

Popular misconceptions

• Add more characters and the password is already safe.
  Improving the resistance to brute force passwords is a subjective task that is often straightforward: just add letters / numbers. Often the requirement to include a capital letter, numbers and increase the length to 8 characters or more results in the use of Qwerty123 and similar combinations. Statistics show that in 90% of cases the user will take the 1st character of the password as a capital letter. And with a probability of 50%, each self-created password is placed in the 13 most common brute force masks.
  
• The data that is stored on the sites is not needed by anyone (and even: “let them crack, if someone posts spam on a local forum from my account, nothing will change”).
  This has already been written more than once - it is possible to read private correspondence, use an account for phishing attacks and much more. Any information can be a tool in the hands of an experienced attacker. In particular, hacking email accounts can lead to a compromise of all services that are attached to them.
  
• Difficult password is difficult to remember, I will use one everywhere or think of a rule for creating them!
  Names of poets, city names, date + service name: Antongmail98, Anton1998, RainbowDash, etc. Why then would an attacker on another service not try, apart from the ones mentioned above, Antonyahoo98, Anton1999, PinkiePie? And the complexity metric for these passwords will tell you that it will take more than 30 days to select them.

Services and developers should not completely rely on users, and the latter should not unconditionally trust Internet services. If the resource allows the creation of a password of less than 8 characters in length, does not perform checks, carelessly treats its own recommendations, is it worth trusting him to manage his data?